Researchers at Tokyo-based anti-virus firm Trend Micro have
discovered a new twist on
banking Trojans that doesn't interact with the victim at all.

Standard banking Trojans dupe an account holder to log into a
duplicate of his bank's website, thereby conning him into giving
up his username, password and account number, which they use to
log in after he's done.

It then hides in the Web browser and waits for the user to log
into his bank's site. Once he does, it introduces special
software that triggers an automatic transfer system that moves
money out of the victim's account to another account within the
same bank, and covers up the evidence so that neither the user
nor the bank notice right away.

"As long as a system remains infected with an ATS, its user will
not be able to see the illegitimate transactions made from
his/her accounts," wrote Trend Micro researcher Loucif
Kharouni. "This essentially brings to the fore automated
online banking fraud because cybercriminals no longer need
user intervention to obtain money."

Pulling off such a heist is complicated. The malware must often
be custom-made for each bank website, which involves lots of
research and coding on the part of the malware authors, and
results in expensive prices for each piece in cybercrime bazaars.

Destination accounts must also be created at the targeted banks
so that the malware has a place to deposit the stolen money, and
a network of " money
mules " must be recruited to access the destination accounts
and move the money again, this time out of the bank.

Furthermore, writes Kharouni, the amounts transferred must be
fairly small in order not to trigger alerts within the banking
system. The Trend Micro researchers saw amounts ranging from 500
euro to 13,000 euro ($635 to $16,500 in U.S. dollars).

The most commonly targeted banks are in Britain, Italy and
Germany, countries where, according to Trend Micro,
online-banking verification practices are strong — and hence
necessitate the use of stealthy malware that needs no
verification at all.

American banks are apparently not on the menu yet. Kharouni cites
two reasons: First, it's not easy for online criminals based in
Eastern Europe to open up accounts in U.S. banks; and second,
most American banks have weak verification methods that make the
older, cheaper variants of banking Trojans still profitable
on these shores.

To avoid being hit by a banking Trojan, whether old or new, make
sure to have robust anti-virus software installed on your PC
or Mac, and set it to automatically update its malware
definitions.